Traditional ways of dealing with DDoS effectively involved network providers building in-excess capacity to absorb the impact of an attack. However, these incidents have grown in size to more than one terabit per second, far outstripping expected size and excess capacity.

On top of this, standard ways of dealing with DDoS are unable to stop other uses of botnets, such as spreading ransomware. And as botnets add insecure Internet of Things (IoT) devices to magnify their attacks, future incidents can only increase in scale and complexity.

The report from the Department of Homeland Security and the Department of Commerce highlights a number of changes that need to be made.

Infrastructure providers should share more data about evolving threats -- especially with smaller, less well-funded, or niche players -- and see what benefits come from a move to IPv6, the report said.

Enterprises need to isolate legacy devices and other devices that cannot be secured, deploy on- and off-premise DDoS mitigation services and rethink their network architectures.

Industry and law enforcement should work to find ways to coordinate more often and earlier to detect and prevent threat activity, and to manage incidents that take place.

Devices: the biggest threat

But the biggest section of the report deals with the threat from devices -- PCs, smartphones and IoT devices which, it said, have often been designed without security in mind.

"Developers are either unaware of good security design practices, assume that the device will be inaccessible (e.g., on a local network inaccessible from the Internet), or want to avoid security solutions that impose additional cost, increase time to market, or make a device harder for consumers to use. The resulting design choices, such as hard-coded administrative passwords, create inherently insecure devices. In other cases, appropriate security controls are present but usability and user interfaces result in less-secure configurations."

The report noted that software developments result in -- optimistically -- a flaw every 2,000 lines of code, and many of these flaws create exploitable security vulnerabilities. Although modern servers, desktops, laptops, and smartphones offer significantly fewer opportunities for compromise, this is not the case with new classes of device.

"IoT devices are often sorely lacking in security-focused features. These systems now offer the most attractive target to malicious actors, and are an increasingly large percentage of the devices in the ecosystem," the report warned.

Another problem is that modern devices are not the only ones connected to the internet: many legacy servers, desktops, laptops, and mobile phones in use today are no longer supported by their manufacturers, so their vulnerabilities cannot be easily addressed. Software piracy can run as high as 70 percent in China, and manufacturers typically restrict the distribution of security patches to systems running legally purchased software, so these systems cannot be secured against known vulnerabilities.

All of this needs to change, the report said.

"Devices must be able to resist attacks throughout their deployment lifecycles -- at the time of shipment, during use, and through to end-of-life. For this to occur, security must become a primary design requirement. Vendors must not ship devices with known serious security flaws, must include a secure update mechanism, and must follow best current practices (e.g., no hard-coded passwords, disabling software features that are not critical to operation) for system configuration and administration. Vendors should disclose the minimum duration of support to customers, and device manufacturers should maintain secure update services for the promised duration."

However, the report acknowledged that at the moment the economics of tech work against security: "Market incentives appear to exacerbate the problem. Product developers prioritize time to market and innovative functionality over security and resilience. Security features are not easily understood or communicated to the consumer, which makes it difficult to generate demand."

The report said that change could start with the enterprise buyer, and -- perhaps optimistically -- argued: "The value proposition for better security will likely start in the enterprise environment due to its economies of scale; once there is a generally accepted security posture in a given product class, few manufacturers would be likely to ignore it."

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.